BitLocker Zero-Day Bypass Exposes Encrypted Drives via USB
Key Takeaways
- YellowKey exploit bypasses BitLocker encryption on Windows 11 and Server 2022/2025
- The vulnerability works through Windows Recovery Environment using crafted USB files
- Researcher claims TPM+PIN protections do not prevent exploitation
Two Unpatched Flaws, One Angry Researcher
A cybersecurity researcher has published proof-of-concept exploits for two unpatched Microsoft Windows vulnerabilities. The flaws, named YellowKey and GreenPlasma, include a BitLocker encryption bypass and a privilege-escalation bug. Neither has been fixed by Microsoft.
The researcher, known as Chaotic Eclipse or Nightmare Eclipse, describes the BitLocker bypass as functioning like a backdoor. The vulnerable component exists only in the Windows Recovery Environment (WinRE), which Windows uses to repair boot-related issues.
This disclosure follows the same researcher's previous release of two other zero-day flaws: BlueHammer (CVE-2026-33825) and RedSun (no identifier assigned). Both are local privilege escalation bugs. Both were exploited in the wild shortly after public disclosure.
“I think it will take a while even for MSRC to find the real root cause of the issue. I just never managed to understand why this vulnerability is sooo well hidden.”
— Chaotic Eclipse
The researcher said the decision to publicly disclose YellowKey and GreenPlasma was driven by dissatisfaction with Microsoft's handling of bug reports. Chaotic Eclipse has promised to continue leaking exploits for undocumented Windows vulnerabilities. They've also teased "a big surprise" for the next Patch Tuesday.
How YellowKey Works
YellowKey affects Windows 11 and Windows Server 2022/2025. The attack requires placing specially crafted 'FsTx' files on a USB drive or the EFI partition. After rebooting into WinRE and holding the CTRL key, the exploit spawns a shell with unrestricted access to BitLocker-protected volumes.
The bypass also works without external storage. An attacker with existing access can copy the malicious files directly to the EFI partition on the target drive.
Independent security researcher Kevin Beaumont confirmed that the YellowKey exploit is valid. He agreed that BitLocker effectively has a backdoor. As a temporary mitigation, Beaumont recommended using a BitLocker PIN and a BIOS password.
Will Dormann, principal vulnerability analyst at Tharsos Labs, also confirmed that the YellowKey exploit worked with the FsTx files on a USB drive.
TPM+PIN May Not Help
In an update, Chaotic Eclipse claimed the real root cause remains unknown to the general public. More concerning: the researcher says the vulnerability works even in TPM (Trusted Platform Module) and PIN environments.
“No, TPM+PIN does not help, the issue is still exploitable regardless. I asked myself this question, can it still work in a TPM+PIN environment? Yes it does, I'm just not publishing the PoC, I think what's out there is already bad enough.”
— Chaotic Eclipse
The researcher has not released the TPM+PIN bypass exploit, suggesting they consider it too dangerous even by their standards.
Related Microsoft BitLocker security update
Business Risk Assessment
BitLocker is the default full-disk encryption solution for Windows enterprise environments. Many organizations rely on it to protect sensitive data on laptops and servers. A working bypass undermines a core assumption of endpoint security.
The attack requires physical access to the target machine. This limits remote exploitation but creates serious risks for stolen laptops, compromised servers, or insider threats. Organizations with high-value data should assume encrypted drives are no longer secure against determined attackers with physical access.
Microsoft has not yet released a patch or official guidance. Until they do, the recommended mitigations are BIOS passwords (to prevent WinRE boot), physical security controls, and monitoring for unauthorized reboots into recovery mode.
Logicity's Take
Frequently Asked Questions
What is the YellowKey BitLocker bypass?
YellowKey is an unpatched vulnerability that bypasses BitLocker encryption through the Windows Recovery Environment. Attackers use specially crafted files on a USB drive or EFI partition to gain unrestricted access to encrypted drives.
Which Windows versions are affected by YellowKey?
The exploit affects Windows 11 and Windows Server 2022/2025. The researcher claims the vulnerability works even with TPM and PIN protections enabled.
Does the YellowKey exploit require physical access?
Yes. The attacker needs physical access to the machine to reboot into Windows Recovery Environment and trigger the exploit. Remote exploitation is not possible with this specific vulnerability.
How can organizations protect against YellowKey?
Security researchers recommend setting a BIOS password to prevent unauthorized WinRE boots, enabling BitLocker PIN (though the researcher claims this can also be bypassed), and implementing strong physical security controls.
Has Microsoft patched the YellowKey vulnerability?
No. As of the disclosure date, Microsoft has not released a patch or official guidance for YellowKey or GreenPlasma.
Need Help Implementing This?
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
Windows 11 June Update Cuts App Launch Times by 40%
Microsoft's June 2026 Patch Tuesday delivers a new Low Latency Profile that speeds up the Start Menu, Action Center, and app launches. The update also patches 198 security vulnerabilities and signals a shift toward fixing long-standing performance complaints.
Framework Laptop 13 Pro Delayed One Month Over Trackpad Issue
Framework has pushed back first shipments of its new flagship laptop from June to July. The delay stems from an electrical grounding problem in the haptic trackpad and a display firmware bug, both requiring hardware and software fixes before mass production can begin.
Everything Search Finds Files in 0ms Where Windows Can't
Windows Search's background indexing drains system resources while still missing files. A free tool called Everything bypasses the OS entirely by reading the NTFS Master File Table directly, delivering results before you finish typing.